FLAIR match indecision: reference to function expected

 Description:
        IDA matched code bytes against at least one
        signature entry, but failed finding expected
        cross-references at certain offsets in the code.
        Consider the following .pat file contents:
                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _test ^000F _my_fun0
                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _smuk ^000F _my_fun1
        Now, turn that .pat file into a signature (.sig) file, telling
        sigmake to include function references into signature
        (using the -r switch).
        Then, apply that .sig file to a binary that you are
        examining.
        If IDA recognizes the 0x15-bytes long pattern in the binary, it
        will check that, at offset 0xF from the start of the match,
        a call to either "_my_fun0" or "_my_fun1" is performed.
        If either one of the two is found, then that code will
        be named "test", or "smuk", respectively.
        Otherwise, a SIGFNREF problem will be signalled.
 What to do:
        Examine the code pointed to by the address at the given
        offset (i.e., 0xF) and try and determine whether
        that function could be "_my_fun0", or "_my_fun1".
        If so, name it accordingly and re-apply the signature.
        An alternative is to generate the signature (.sig)
        file without the cross-references to functions
        (i.e., dropping the '-r' switch).
        But beware of collisions: a pattern like the
        one above will inevitably create a collision, since the
        pattern bytes are similar for the two entries.
Index | Previous topic | Next topic